Network Segmentation — Is It Overrated?

Network segmentation has evolved over time and probably is one of the widely used network deployment strategies for management and security. It can be as simple as a Firewall -VLAN combo to complex segmentation architecture such as SDN based , “zero trust model” micro-segmentation that defines policies for virtualized environments and virtualized payloads to protect traffic flowing east-west in a data center.

Yep! The above sentence looks overly compound and complicated. Unfortunately, that is what network segmentation looks like.

Too many technology choices have made their adoption often orthogonal to ground business realities. Those are:

  • Network segmentation adoptions, most of the time, are business decisions and not technological choices.

  • Lack expertise and availability of trained resources aggravated by inherent complexity have made organization stop short of their proper adoption.

  • From a cost to benefit point of view, moving to advanced network segmentation may sound m’a coûté un bras !

Moreover, there are often practical limits to network segmentation. 

  • Firstly, the jury is still out on what is the right level of segmentation – how to segment your network and how much to segment. The year is 2018 and still there are lots of flat networks within organizations. The reason being, there is no simple answer to this question.

  • While network segmentation though a step in the right direction for network security, it does not eliminate the risk. Proper network segmentation is harder to achieve and particularly in hospital environments involving numerous medical devices that need to communicate with each other. For example, HL7 interface engine needs to communicate with nearly every device in the network. This would often mandate for it to be part of the network where it has access to almost everything. That implies network administrator often ending up creating flat or one-large segmented network.

  • Most of the time it is the edge device that is vulnerable. No matter how strong your segmentation is, if the device is part of the segmented network, the ‘infection’ will ‘bleed’ into the network. Keeping in mind my second point above, often these ‘bleeds’ are big enough to bring down the entire network

  • The other extreme involves over-segmentation where complex zoning policies such as north-south and east-west rules govern the traffic flows. In such deployments administrators end up creating far too many zones only to drill up number of traffic holes between these zones for performance improvements. This makes vulnerability detection and isolation often a painful undertaking. Containment efforts now span across multiple zones and segments.

Summing up, proper network segmentation is required as it is one of the many pillars for creating a security fence to protect critical business investment. However, it alone cannot solve security demands of your organization.

Organization requires a solid edge protection solution using principles of science and mathematics along with cyber threat intelligence & traffic behavioral frameworks  to prevent, detect  anomalous  traffic at the edge of their network.